<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
  "DTD/xhtml1-strict.dtd">
<html>
  <head>
    <title>volatility.win32.tasks : API documentation</title>
    <meta content="text/html;charset=utf-8" http-equiv="Content-Type" />
    <link href="apidocs.css" type="text/css" rel="stylesheet" />
    
    
  </head>
  <body>
    <h1 class="module">v.w.tasks : module documentation</h1>
    <p>
      <span id="part">Part of <a href="volatility.html">volatility</a>.<a href="volatility.win32.html">win32</a></span>
      
      
    </p>
    <div>
      
    </div>
    <div>&#64;author:       AAron Walters
&#64;license:      GNU General Public License 2.0 or later
&#64;contact:      <a class="rst-reference external" href="mailto:awalters&#64;volatilesystems.com" target="_top">awalters&#64;volatilesystems.com</a>
&#64;organization: Volatile Systems<table class="fieldTable"></table></div>

    
    
    <div id="splitTables">
      <table class="children sortable" id="id1382">
  
  
<tr class="function">
    
    
    <td>Function</td>
    <td><a href="volatility.win32.tasks.html#get_kdbg">get_kdbg</a></td>
    <td><span class="undocumented">No summary</span></td>
  </tr><tr class="function">
    
    
    <td>Function</td>
    <td><a href="volatility.win32.tasks.html#pslist">pslist</a></td>
    <td><span>A Generator for _EPROCESS objects</span></td>
  </tr><tr class="function">
    
    
    <td>Function</td>
    <td><a href="volatility.win32.tasks.html#find_space">find_space</a></td>
    <td><span>Search for an address space (usually looking for a GUI process)</span></td>
  </tr><tr class="function">
    
    
    <td>Function</td>
    <td><a href="volatility.win32.tasks.html#find_module">find_module</a></td>
    <td><span>Uses binary search to find what module a given address resides in.</span></td>
  </tr>
  
</table>
      
      
    </div>
    
    
    

    <div class="function">
  <a name="volatility.win32.tasks.get_kdbg">
    
  </a>
  <a name="get_kdbg">
    
  </a>
  <div class="functionHeader">
    
    def
    get_kdbg(addr_space):
    
  </div>
  <div class="functionBody">
    
    <div>A function designed to return the KDBG structure from
an address space. First we try scanning for KDBG and if
that fails, we try scanning for KPCR and bouncing back to
KDBG from there.</p>
<p>Also note, both the primary and backup methods rely on the
4-byte KDBG.Header.OwnerTag. If someone overwrites this
value, then neither method will succeed. The same is true
even if a user specifies --kdbg, because we check for the
OwnerTag even in that case.<table class="fieldTable"></table></div>
  </div>
</div><div class="function">
  <a name="volatility.win32.tasks.pslist">
    
  </a>
  <a name="pslist">
    
  </a>
  <div class="functionHeader">
    
    def
    pslist(addr_space):
    
  </div>
  <div class="functionBody">
    
    <div>A Generator for _EPROCESS objects<table class="fieldTable"></table></div>
  </div>
</div><div class="function">
  <a name="volatility.win32.tasks.find_space">
    
  </a>
  <a name="find_space">
    
  </a>
  <div class="functionHeader">
    
    def
    find_space(addr_space, procs, mod_base):
    
  </div>
  <div class="functionBody">
    
    <div>Search for an address space (usually looking for a GUI process)<table class="fieldTable"></table></div>
  </div>
</div><div class="function">
  <a name="volatility.win32.tasks.find_module">
    
  </a>
  <a name="find_module">
    
  </a>
  <div class="functionHeader">
    
    def
    find_module(modlist, mod_addrs, addr):
    
  </div>
  <div class="functionBody">
    
    <div>Uses binary search to find what module a given address resides in.</p>
<p>This is much faster than a series of linear checks if you have
to do it many times. Note that modlist and mod_addrs must be sorted
in order of the module base address.<table class="fieldTable"></table></div>
  </div>
</div>
    <address>
      <a href="index.html">API Documentation</a> for Volatility 2.2, generated by <a href="http://codespeak.net/~mwh/pydoctor/">pydoctor</a> at 2013-06-24 15:16:10.
    </address>
  </body>
</html>